The Pedagogy Behind an Effective Security Awareness Training Program
CyberCoach is based on dialogic learning and storification in order to maximize learning retention. Learn more about the pedagogy behind CyberCoach.
Cyber Social Responsibility is not just the right thing to do, it can benefit your bottom line. Learn more about what it means and how to get started.
Digital skills inequality threatens all of our safety and we need responsible companies to take action. Privacy and security have become things an individual needs to afford. They require skills and they require ability to select, and often pay for, safer solutions. You can get cheaper or free services, if you pay for them with your data.
The digital skill divide starts already in childhood. Digital safety skills are now being taught in schools, but not all schools can afford devices for kids to practice with, or technically competent staff to educate them. It gets even worse in adulthood. We adults rely on security and privacy awareness education in the workplace. The quality and availability of training varies widely. The vast majority of companies that provide training focus primarily on phishing training, and not on training "civic" online safety and privacy skills. Quality training is also disproportionately available to privileged office workers at larger companies. Only a few companies provide training to staff without laptops.
There is no legal requirement to do so either. Even with the Securities and Exchange Commission (SEC) set to come out with new rules for ESG disclosures and cybersecurity reporting, no one is talking about this societal problem and how companies could make it part of their sustainability strategies. The focus of the new cybersecurity rules is on improving reporting of cybersecurity incidents, cyber risk governance, and oversight. The SEC privacy rules are also under reform, but they are still setting a low bar for compliance with protecting customer information, instead of truly protecting individual digital rights. These rules also have a limited impact, as the goal of the SEC is to protect US investors–not individuals or society. Not only is there a lack of regulatory pressure, the "S" (Society) in ESG is even becoming political in the US. This further discourages companies from taking action.
There are amazing non-profits and government organizations trying to bridge the gap and educate citizens, parents and caregivers. The problem is that these resources can be difficult to find, and require an individual to find motivation to seek them out first. That is where companies come in.
Cyber Social Responsibility is about taking an active role in protecting your employees and customers as individuals, as well as their digital rights. Reading the below, you may even realize you are already making an effort in this space. Cyber Social Responsibility is less about doing a lot yourself, and more about leveraging resources that are already out there, partnerships and collaboration. Simply doing the right thing and communicating it goes a long way.
Cyber Social Responsibility towards employees is about..
Common Practice | Sustainable Practice | |
Employee Data Privacy | Employer decides what is collected. Employee has little to say about it, if they wish to continue to be employed. |
Collecting minimal data from employees, being transparent about it and making sure your employees feel in control of it. Educating employees on their digital rights. No one should have to read a book to understand exactly what you do with employee personal information. Example: Personal use of work devices. What all can your IT/Security team see? Do your employees know to what extent the activity on their devices is being monitored? |
Employees as Cyber Coaches | Security training at workplace focuses on protecting the employers' business and transferring the business risk to employees through training sign-offs. |
Making it easy for employees to protect their families and families. Rewarding acting as a Cyber Coach to colleagues and in the community. Example: Employer provides anonymous training and support with personal or family security issues, as well as a password manager for employees' families to use. Employer also encourages employees to help their family take the password manager into use. |
Psychological Safety | "Motivating" employees through making them fail phishing simulations. Employees cannot influence new security rules and processes that directly impact their work. |
Motivating employees to learn online safety and privacy by making them feeling safe and capable of learning. Making sure everyone can influence over decisions affecting them. Eliminating unnecessary red tape and trusting your employees to make good decisions. Example: Security team has dealt with a security incident where a stranger joined an online meeting with a client and started presenting graphic videos (aka "Zoombombing"). Instead of immediately blocking screen sharing for all externals in meetings, the security team talked with the people that regularly held meetings with externals, and came up with a solution where employees can grant screen sharing rights upon verifying the participant. |
Cyber Social Responsibility towards customers and society is about..
Common Practice | Sustainable Practice | |
Customer Data Privacy | A vague data privacy notice that barely explains the personal data practices, in fear of needing to update it too often. Controlling what data you share is impossible or very difficult: you need to click and read more. |
Collecting data from individuals only in ways that benefit them and making sure people feel in control of it. Educating also customers on their digital rights. Actively influencing other organizations to be progressive with privacy. Again: No one should have to read a book to understand exactly what you do with personal information. Example: A productivity app company enables new privacy features as defaults free for all customers, and campaigns in order to make sure customers are not only aware of them, but demand similar from their other service providers. |
Customers as Cyber Coaches | Security training is offered only to employees and there are limited resources available for customers even on how to safely use the company's product/service. |
Inspiring and rewarding acting as a Cyber Coach in society. Developing ways to help customers also learn digital safety skills and media literacy. Example: A bank implements engaging micro-learning and makes it available to all customers and their children in their app. |
Building Trust | Playing it safe with communication and only doing it when it cannot be avoided anymore. Avoiding potentially politically sensitive topics such as disinformation. |
Communicating openly and transparently. Verifying information before publishing it, and fighting disinformation by advocating and enabling fact checking. Maximizing customer trust not just in your organization, business and industry, but in digital society and authorities. Example: Company suffers a data breach and communicates actively with affected individuals, proactively also offering them advice and even tools to help minimize the impact of the breach on them. Company also shares lessons learned in order for other companies to avoid falling victim. |
Cyber Responsibility in Vendor Assessments | Vendor Assessment may or may not include requirements for cybersecurity and data privacy. |
Making cyber social responsibility a part of vendor assessments, and partnering with and buying services from cyber responsible organizations. Example: Asking vendors what are they doing to support employees as parents and caregivers to protect their families online. Choosing not to do business with vendors with unethical data practices, or leadership convictions of cybercrime or privacy violations. |
Cyber Social Responsibility is undoubtedly the right thing to do. There are also direct bottom line benefits to addressing it in your ESG strategy. We will talk more about those as well as share more practical steps to get started with Cyber Social Responsibility in upcoming posts.
We'd love to hear about it and share success stories. We are also happy to chat, share our learnings and help you get started (free, with no strings attached).
CyberCoach is based on dialogic learning and storification in order to maximize learning retention. Learn more about the pedagogy behind CyberCoach.
Learning is not One-Size-Fits-All. Learn how to automate a role-relevant training program that is tailored to user skill level with CyberCoach.
Psychologically safe awareness programs lead to better training results, a stronger company culture, and less risk to both employees and your...